The purpose of this article is to address protection against loss of data. I am defining loss in two ways. The first is no longer having access to the data. Lack of access may be because of hardware failure, for example a hard drive failure, or because the device holding the data is no longer available, for example due to theft. The second definition of loss of data is when another party gets access to the data. I work under the assumptions in West Africa that hard drives fail often and if a computer is stolen it is unlikely that it will be retrieved.
This document is primarily addressing data-at-rest rather than data-in-motion or data-in-use. This means the data is physically stored on your computer and the computer is off. There are another whole set of strategies for protecting data-in-motion/use dealing with strong passwords, firewalls, secure network traffic, operating system updates, etc.
The best way to prevent the loss of data is to make sure the device that is storing it remains in your possession. There are two ways to do this:
- Cable Lock: For many years computers have come with lock ports. A simple laptop cable lock can be purchased for less than USD $20 and is easily transportable. While at home or travelling it is easy to attach the cable to a piece of furniture and perhaps keep the computer from being stolen in the first place.
- Recovery Label: Once a computer is stolen it is unlikely that it will be recovered, but it may be worth planning for that possibility. The device may be sold to a Good Samaritan who would contact you if they knew how. Two companies offer ID labels that offer a reward and a way to contact you if your stuff is found: Stuffbak and BommerangIt.
Computer backups are one of those things that everybody knows is good, but we still don’t always do. Worse, it is often a place we try to save money and get by with the least effective product. It then becomes difficult to do and may take a long time, causing it to happen less often.
Over the years I have tried three categories of backup methods:
- File Copy/Synchronization:Most external drives come with a free backup program. What they do is very simple; they copy a list of files and folders on the computer to the external drive. In case the computer drive is lost (failed or stolen) the important data is still available. I have several problems with this method:
- The destination is usually not encrypted and so is easily available to anybody who has access to the external drive.
- These programs usually cannot handle open files. Either you have to close everything before you do a backup, or any open files will not be backed up.
- It is a data backup, not a computer backup. If your hard drive dies, you have manually install Windows and all of your programs and only then can you copy your files back over. That could take a long time.
- It is not reliable. I recently ran into a situation where the backup would only copy the file the first time, it would not copy it during subsequent backups when the file changed. For the computer in question that had happened over a year before on many important files.
- Windows Backup: For many years and through several versions of Windows this has been my primary backup program. It is free, it comes with Windows, it is a full computer backup (you can restore the entire computer from it), and it is reliable. Since it came with Windows, if my computer died I could take my backup to another computer and at least get to important files. Microsoft has vastly improved backup in Windows 7 and I would still recommend it over the File Copy method above. My biggest problem with Windows Backup is that it is a full backup every time. This can mean several hours backing up every week. I also do not believe there is a way to password protect the backup file.
- Full Backup Software:There are many good backup programs out there and this is not an attempt to evaluate all of them. Many people have recommended Acronis TrueImageto me and so I tried it out, primarily because of the problems mentioned above with Windows Backup. I have found it very easy to use. I do a weekly differential backup (only the changes since the last full backup) with a full backup every five backups. Here are the advantages that I see:
- Differential backups mean that my backups do not take very long as it is only the files that have changed. It also gives me file versions. If I edited a file on Friday and backed it up on Saturday and Sunday realized I screwed up, I can go to a previous backup to get it back.
- I have access to Bare Metal Restore, meaning that if my hard drive dies I can buy a new one, boot off of my Acronis restore CD and image my hard drive from my last backup. I could be back up and running in a matter of hours with all of my files, programs, and settings.
- Acronis backup files can be converted to Windows Backup files so they can be opened on other computers.
Acronis TrueImage Home cost me USD $39. After what I have invested in the computer, NAS, external hard drive, and the work I have put into creating data it seems well worth that investment to make sure that not only do I have a good backup but that I can easily restore my system to full running capability.
For many years I have relied on my Windows password to protect my computer from prying eyes, but as I have worked more with retrieving data from failed drives I have realized just how simple it is to get data off of a hard drive. The Windows password is essentially a data-in-use protection. I can boot off a computer with another operating system from the CD drive or pull the hard drive out and connect it to another computer and easily access all of the data on it. I have recently tried two approaches to encrypt the data on my hard drive so that it is useless to anybody else who gets their hands on my computer:
- Software: Since my dad introduced me to computers, it has been my practice to partition my hard drive and use one for the system and programs and the other for my data. I tried TrueCrypt which not only has had many rave reviews but is also free. Because of my experience in trying to get an operating system running again when there is a problem and not wanting to mess with that, I decided to encrypt only my data partition. For the most part I had a very good experience. There was no apparent system overhead from the encryption and all programs saw the drive just fine. I was able to set TrueCrypt to auto mount the drive as soon as I logged in to Windows; it just required my encryption key. TrueCrypt is also very flexible. I chose to encrypt a whole partition, but it could have just been a file, even a file on a USB drive. This would allow for a subset of data to be encrypted, like financial or donor records. It also allows for a hidden partition that may pass cursory inspection by a security agency. There were a few problems that I ran into:
- Because I typed the encryption key in after I logged in to Windows, programs that automatically loaded and quickly needed access to the My Documents folder (which I moved to my data partition) would error out because it would not be available yet. Note that this would not have been a problem if I encrypted the whole hard drive. My encryption key would have been required at boot.
- Backup programs that worked at the disk or partition level (ex: Windows Backup) could not access the encrypted partition. I tried many suggestions but could never get around this. I had to do a normal file backup which does not allow a bare metal restore.
- Because it was a software solution, it was not always flawless. I used it for seven months, and the last two months it often did not assign a drive letter to the partition. I had to go into the program and manually reset it.
The benefit to a software solution like TrueCrypt is that it can work in your current situation. I could encrypt a few files and put them on a USB drive, encrypt a partition or encrypt the whole disk. I did not have to buy any special hardware or need any particular capabilities on my computer.
- Hardware:A month ago I installed a Seagate Momentus FDE (Full Disk Encryption) drive. This is one of a new series of drives that are self encrypting. For years motherboards have allowed users to put passwords on hard drives. Although this provided protection from many data thieves, it really only wrote the password to the drive controller but did not affect the data itself. Self encrypting drives use this standard to send the encryption key. The hard drive “password” becomes the key by which all data stored on the physical platter is actually encrypted. There are a few implications of this method:
- Because the password is the encryption key, if you change the password, you essentially wipe the drive. This is good for disposal.
- The benefit to doing the encryption on the drive is that it is transparent to the operating system. When I turn on my computer, the BIOS asks me for the drive encryption key and then unlocks it. Whenever power is removed from the drive it is automatically locked. My computer’s BIOS allows me to set other times it will be locked. In my case, if I reboot or even put my computer to sleep the drive is locked.
- Because the encryption is being done at the hardware level and is transparent to the OS, it has not caused any problems with backup software. The drive is unlocked before the operating system loads so does not affect auto loading programs or services that need data off of an encrypted volume.
- Since the whole drive is encrypted, you cannot protect only a single volume or hide an encrypted partition.
- Your BIOS must support it. Because it uses the ATA standard for hard drive passwords, many Intel chipsets support them.
- Note that other manufacturers like Hitachi and IBM are also starting production. I paid a premium of about 30% on the purchase price of the drive, but estimations are that this technology will become so ubiquitous that all drives in a few years will come with the technology.
One final note on encryption, we have a high rate of disk drive failure in West Africa. In almost every case that I have worked with, we have been able to plug the drive into a USB enclosure and retrieve the data before the drive completely dies. If a drive is encrypted, it removes that possibility. That means good backups are even more vital if you use this technology.
For many years all of our important data has been stored on computers. With increased use of other devices like smart phones and tablets, it is important to remember that they also need to be protected. Much of the data that I mentioned in the first section is now stored on these devices.
- Backup: There are two options for backup. Several apps have been developed to backup devices to the cloud. That is not always practical in areas with slow internet access. My iPhone and iPad both automatically backup to iTunes when I plug them into my computer. I try to do this at least once a month.
- Encryption: I think that all of the modern smart phone operating systems offer an option to wipe a device if the wrong password is entered too many times. I have that set on my iPhone and iPad for ten times. There is a caveat that I just discovered, if you plug the device into a computer with iTunes, iTunes can still read all of the data on it without a password. This area needs more research.